---
icon: cloud
title: Single Sign On (SSO)
description: How to use your own identity provider
---

<Info>Available in v3.4.0 and later.</Info>

<Warning>
  Accounts using the same email are linked together. This assumes that you are
  using a trusted identity provider that uses verified email addresses.
</Warning>

## OpenID Connect (OIDC)

If your identity provider supports OAuth 2.0 based authentication with OpenID Connect (OIDC), you can use it to authenticate users on your Rallly instance.

### Required Scopes

Your OAuth 2.0 application needs to be configured with the following scopes:

- `openid`: Essential for OIDC to function, used to perform authentication.
- `profile`: Access to the user's personal information such as name and picture.
- `email`: Access to the user's email address.

### Callback URL / Redirect URI

Your identity provider should redirect the user back to the following URL:

```
{BASE_URL}/api/auth/callback/oidc
```

<Info>
  Replace `{BASE_URL}` with the base URL of your Rallly instance and add it to
  the list of allowed redirect URIs.
</Info>

### Configuration

The following configuration options are available for OIDC.
All required fields must be set for OIDC to be enabled.

<ParamField path="OIDC_NAME" default="OpenID Connect">
  The display name of your provider as it will be shown on the login page
</ParamField>

<ParamField path="OIDC_DISCOVERY_URL" required>
  URL of the `.well-known/openid-configuration` endpoint for your OIDC provider
</ParamField>

<ParamField path="OIDC_CLIENT_ID" required>
  The client ID of your OIDC application
</ParamField>

<ParamField path="OIDC_CLIENT_SECRET" required>
  The client secret of your OIDC application
</ParamField>

<ParamField path="OIDC_NAME_CLAIM_PATH" default="name">
  The path to the claim that contains the user's name
</ParamField>

<ParamField path="OIDC_EMAIL_CLAIM_PATH" default="email">
  The path to the claim that contains the user's email address
</ParamField>

<ParamField path="OIDC_PICTURE_CLAIM_PATH" default="picture">
  The path to the claim that contains the user's profile picture
</ParamField>

<Info>Use dot notation in `_CLAIM_PATH` fields to access nested objects.</Info>
